What is CVE-2026-31832?

CVE-2026-31832 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.4/10. Published 2026-03-10.

How severe is CVE-2026-31832?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Auth bypass in Umbraco Umbraco-cms

CVE-2026-31832

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes withou…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.

Affected products

Umbraco Umbraco-cms — versions >= 14.0.0, < 16.5.1, >= 17.0.0, < 17.2.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fpvf-fvp5-996r (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-31832?: CVE-2026-31832 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.4/10. Published 2026-03-10.
How severe is CVE-2026-31832?: Medium severity. CVSS v3 base score is 5.4 out of 10.